As the Worm Turns -- The Spam Forgery Saga Continues
by Pete Stokely, November 16, 2003

Good news and bad news on the spam forgery front.

The good news is that we were never actually blacklisted by AOL, or apparently by anybody else.

Not that all is well: we are still receiving our nightly avalanche of email bounce messages. These announce non-delivery of spam purportedly sent by users at stokely.com. These users, thousands of them, are all fake.

The wording of the bounce messages sometimes says that further mail from us will not be accepted. We took this to mean that we had been placed on various block lists.

We screeched. Several of you wrote to say similar things have happened to you. More than a few web sites I've visited lately have posted disclaimers like ours to point out that spam purporting to originate with their domain is the result of forgery.

So it began to appear that we had become members of a pretty non-exclusive club -- the Our Domain Has Been Forged By Spammers club.

We did some analysis which shows how non-exclusive this club is. We also asked AOL for advice.

AOL's Advice

Most of the spam sent out under our name is aimed at AOL users. Whether this is by random chance, or because they have the most users, or because AOL users stupidly respond to spam more than most, I have no idea.

I called their Postmaster Hot line (888.212.5537). A courteous and knowledgeable gentleman listened to my description of what we were seeing. He gave guidance I can summarize as follows:

There is a worm going around.

About all you can do about it is hang in until the worm runs its course.

Anything that can be forged, will be forged. AOL knows this. If this is "all" that is happening to you, don't sweat it.

What they look for instead is actual mail servers with unusual levels of activity. That's where the spam is actually being injected into, or relayed through, the net.

So they know we're not outlaws. But what can we discover about the forgers who are using our name in vain? And just how are they using our name in vain?

A Brief Anatomy of "Our" Spam

I saved a few thousand of the bounced mail messages. I wrote some quick-and-dirty Perl to analyze the headers. After a little prowling, two conclusions jumped out. I categorize both as bad news.

First, the mechanics of generating spam is really easy. It is obvious that the software is simple, table-driven stuff. All you need to supply is a few lists of real or fake elements to insert into the various mail header fields. Use a simple random-draw algorithm to mix and match the header values. Pick a piece of sleazy content to enclose and -- voila -- you have a spam message that doesn't, exactly, look like any other spam message. Also it is not, exactly, routed like any other spam message through the net.

We are not talking rocket science here. The program to do this could be written by a hamster.

Second, there are two levels of forgery going on. One generates fake users, the other fake servers. No matter who you are -- or how high your standards of ethics and security are -- your domain name can easily be incorporated into both.

The spam program creates fake users -- for insertion into the From and Return-Path headers -- in an extremely simple way. It just grafts a random user name onto a real domain name.

Here are some examples of people who don't work at stokely.com but who "apparently" sent spam from here:

0008 From: "Christoph Dassani"

0006 From: "Georgine P. Liew"

0005 From: "Belissa Samsonenko"

0004 From: "Deann J. Skiclub"

0004 From: "Cora Garneau"

0004 From: "Marlyne Luwemba"

0004 From: "Maurijn F. Ihnat"

0004 From: "Wallis Fussell"

In all, 2117 of these mysterious people were concocted to create the 2387 spam mailings in the batch I analyzed. The first column is the number of times this particular user name was used.

The elusive Mr. Dassani (he doesn't Google) was invoked most often -- eight times, or a mere 0.3% of the total.

What can we -- or you -- do about this? Absolutely nothing. Any idiot can get your domain name off of any number of lists. There are no feasible ways I can think of that an arbitrary ISP can tell that there is no Wallis Fussell here. Sure, we could bounce the bounces back to the poor ISP, but that would just clog the net even more, since there is an infinite number of users who don't work at stokely.com. In short, as a wise mail guru told us at the outset, you're hosed.

As an aside, the subject lines are amusing. Here are a few of the 1730 different ones that the ghostly Mr. Skiclub and his cohorts sent out:

12: New version is out

10: My shady past

10: Your friend said this

8: You sure will want it

8: Re: Your assignment

8: Fresh and funky!

8: You blocked my IM!

8: No introductions needed

7: Working hard lately?

7: Introduce yourself please

7: It is too big for me!

7: You blocked my ICQ

Other subjects were more pointed, and randomized with gibberish, like

1: Try some Levitra, ultram, skelaxin eckowpcsdhtawdom

1: Get a larger member aoeqwdnuxibxbish

If you were to take all this at face value, you'd get the impression that stokely.com uses every drug under the sun and has pockets of deep male performance anxiety. I'm happy to report that neither is true.

I mentioned that two kinds of forgery are used. The second is server name forgery. This is employed to conjure up plausible, but fake fromfields in Receivedheaders. In the spam being sent under our name, this too is being done in an extremely simple way.

We analyzed the bottom-most (first apparently sent) Receivedheaders to see which server purportedly originated the message.

Nearly all were clearly forged by the simple expedient of combining a (mainly) real domain name with a real, but incorrect, IP Address. Here are just two out of hundreds of different forged/faked domains used in this batch:

0001 turban.com ([142.177.209.160])

0001 turbofan.com ([64.228.76.142])

Both turban.com and turbofan.com actually exist, but not at these IP addresses. We were forged in this way too, but only once:

Here the forgery is obvious to anyone who cares to do a reverse DNS lookup, but not all cases are this clear-cut and not all ISPs in the world are competent enough and ethical enough to do it. Evidence of the latter point is that, in this batch, no less than 672 relay servers were found, from all over the US and Europe, who could and would pass this forged junk along on its way to AOL.

What can we conclude from this quick analysis? Simply this sad fact: domain forgery, on a massive scale, has become a fact of life. Nobody is exempt. Anybody with a list of domain names can do it. Anybody with the programming skills of a starfish can program it.

Although the gentleman at AOL advised us to "just hang in until the worm runs its course," I suspect we'll have to hang in a lot longer than that. This worm will undoubtedly be followed by others, and the forgery tricks will be continued as long as they continue to work. That is, until the White Hats plug a few holes in the spam propagation chain.

A Job for Woody Woodpecker

I suppose I could be pessimistic. Apparently, unless there is some structural change in the way the world's email is managed, the White Hats have two seemingly impossible tasks:

Track down and root out each and every greedy, sleazy or stupid Postmaster on the Internet.

Track down and patch ALL of the security vulnerabilities (past, present and future) in all the Microsoft boxes connected to the Internet anywhere in the world.

We touched on the rationale for the first impossible task above.

The second, even more infinitely impossible task, is motivated by the relatively recent -- and spectacularly unholy -- union of spammers with worm writers. The role of the worms (like, apparently, Sobig.F) is evidently to seek out the world's millions of un-patched Microsoft boxes and turn each of them into a little mail server. This is, in turn, in the service of a little spam generator program which, as we have observed, can be written by a gerbil.

Either task alone reminds me of a very old comic book in which somebody (Woody Woodpecker?) was commanded to remove all the rocks from the Rocky Mountains. There is a frame where the tiny bird, with a shovel in one hand and a bucket in the other, looks up at the mammoth extent of the Front Range, towering majestically above him and stretching out to a radiant infinity on both sides.

"Hmmm," he mutters. "This will take longer than I thought."

So it will. The White Hats have a lot to do. Some of it will be piecemeal: squashing individual vermin lurking under the Monoculture's many slimy rocks. Some will undoubtedly be structural: strategically changing the rules of the game. Some will be strictly legal; some will involve some -- heh heh -- creative vigilantism.

But I'm betting on the White Hats. A lot of them are SysAdmins out of the *nix community -- the very people for whom we created this site. If you are reading this, you are very likely one of them. While I am bitching about the problem, you are probably actually doing something about it.

If you are anything like most of the SysAdmins I've known over the years, the spammers and worm-writers and other spawn of the Monoculture have a good deal to worry about. When you need to be, you can be every bit as crafty, treacherous and downright nasty as the sleazeballs. When angered, your wrath is mighty. When you smite, things tend to get pretty smote.

The folks here at stokely.com (both the real ones and the 2217 imaginary ones) salute you, and believe you will prevail. Your task is, and will be hard. Thanks for taking it on. Let us know if we can help.